You will need to revisit your Windows update for business policies as a result and set a deferral to a point in time that you deem that you will be ready for Windows 10 1903. My recommendation is to set a deferral period to an extreme point in the future: Select 365 days for your deferral. Then when you are ready to deploy 1903, you can reset this value to 0 to trigger the installs. You will want to review your Windows Update for Business settings for the new changes in 1903.

Also new in 1903 is the fact that you no longer are mandated to use a diagnostic data level of Basic or higher to enforce configured policies in Windows update for Business. If your organization is privacy sensitive, you no longer have to ensure that you participate in diagnostics.

Threat protection

Microsoft is adding more protection to this version of Windows 10—specifically, the much anticipated Windows Sandbox feature. It allows you to run untrusted executables in an isolated environment on a desktop PC. When you close Windows sandbox, everything in it is erased so it’s clean the next time you use it.

Both Pro and Enterprise SKUs can benefit from this new feature. To use it, you must have the following:

Windows 10 Pro or Enterprise Insider build 18305 or later (1903)

AMD64 architecture

Virtualization capabilities enabled in BIOS

At least 4GB of RAM (8GB recommended)

At least 1 GB of free disk space (SSD recommended)

At least two CPU cores (four cores with hyperthreading recommended)

You need to enable Windows Sandbox in Windows Features. If your machine does not have virtualization support, the feature will be greyed out. Once you’ve enabled Windows Sandbox, you will need to reboot your computer.

Now you have a built in virtual machine that will allow you to test malicious links without impacting your computer or, better yet, your network.

Susan Bradley

Windows Sandbox

It is similar to the virtual Windows XP that many of us used to migrate from XP to Windows 7 with one major difference: It does not persist after you shut the virtual machine down.

Microsoft Defender ATP changes

Microsoft Defender ATP licensees will find many changes in this edition. You’ll need a Windows Enterprise license and an E5 Windows or E5 Microsoft 365 license. New offerings include:

Attack surface area reduction: You can now specify allow and deny lists for specific URLs and IP addresses.

Tamper protection. When this setting is enabled, you – and attackers – won’t be able to disable defender antivirus.

Emergency outbreak protection. If a zero-day event occurs, machine learning and advanced diagnostics will automatically update devices with new intelligence when a new outbreak has been detected.

Identity management

Microsoft is making a big push to get rid of passwords and enable multi-factor authentication, biometric authentication and other techniques to keep users accounts safe from attack. These changes include:

Remote Desktop with biometrics. If you have Azure Active Directory and Active Directory users that use Windows Hello for Business, 1903 now allows biometric options to authenticate a user to a remote desktop session. This will also be helpful to protect Remote Desktop servers from credential cracking attacks.

Windows Hello now has a FIDO2-certified authenticator. This enables passwordless logins for websites that support FIDO2, such as a Microsoft account and Azure Active Directory.

Security baselines

Microsoft has posted the security baseline documents for 1903 and has included changes and recommendations specific to the 1903 release. In particular, they recommend “Enabling the new ‘Enable svchost.exe mitigation options’ policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically generated code is disallowed.”

As noted in the post, carefully review this setting as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins. Microsoft has also released a preliminary Intune-based security baseline.

Deployment

Deployment of Windows 10 1903 can be done in many ways. You can obtain it from Windows update once your machine is deemed worthy of the update. Microsoft monitors for issues and throttles the updates back on machines that can’t handle the update without vendor fixes. You can monitor for these blocking issues on the Windows release health dashboard site.

You can also deploy the update via WSUS, SCCM, and for new deployments using AutoPilot. You may want to review your deployment strategies and jump over any Windows 10 feature releases that you haven’t deployed and start testing the 1903 release now. The security enhancements and Windows update changes make this a very attractive release for those evaluating versions of Windows 10 to deploy.

Windows 10 1809

The October 2018 release of Windows 10, version 1809, will be what many enterprises will consider their Windows 10 version of choice for several years. The reason? It marks a big change in the patching cadence of Windows 10 as well as updating it.

Changes in .NET patching

Starting with the 1809 version, the .NET patching component has been pulled out of the cumulative Windows 10 update and will now be offered as a separate release similar to how Windows 7 releases .NET patches. If you have a business application that interacts unfavorably with patching, you can now apply the main cumulative update ensuring that you are patched for all the other security issues and hold back on the .NET updating should you need to work with your vendors to ensure compatibility.

Patching cadence changes

Also starting with the 1809 version, Microsoft is changing the cadence for patching for Enterprise and Education customers. As noted in its Microsoft 365 blog, the company is making a major change in how feature releases will be supported for these two versions of Windows 10. As stated on the blog, the cadence change allows an organization to choose the fall release of a feature update and skip two years of feature releases and still be fully supported. As stated in the blog:

All currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. This will give customers on those versions more time for change management as they move to a faster update cycle.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. This will give customers longer deployment cycles the time they need to plan, test and deploy.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of March (starting with 1903) will continue to be supported for 18 months from their release date. This maintains the semi-annual update cadence as our north star and retains the option for customers that want to update twice a year.

All feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (this applies to feature updates targeting both March and September).

If you are licensed for Enterprise or Education versions, choosing the fall release will give a firm a 30-month support window from when it is released. Thus, you can deploy the 1809 version and not deploy another feature release until October 2020 and be fully supported and receive security/quality updates that entire time. Spring feature releases will only receive an 18-month support window, so I predict that most Enterprises and Educational institutions will drop into this 30-month cadence and installation routine.

Windows 10 Professional and Home versions will have an 18-month support window for each spring and fall release. With the Professional version that allows for the easy deferral of the feature release, enterprises can then wait longer than a year between each release.

Windows Defender ATP improvements

If your firm has Windows Enterprise E5 or Microsoft 365 E5 subscription, you now have access to a Threat Analytics dashboard that lists recent attacks and risks.

Microsoft

Defender Security Center Threat Analytics dashboard

This console provides updated information about recent threats and security incidents that target the Windows operating system. The threat dashboard provides guidance in mitigating and defending against the attacks.

Microsoft has also increased reporting in its cloud-based Microsoft Secure Score Dashboard. This is included in Windows 10 Enterprise E5 and Microsoft 365 E5 subscription and allows you to track the status of the antivirus application, operating system security updates, firewall, and other controls. On Windows 10, it drills into the security settings you haven’t enabled that would better protect your system from attacks and threats. In the sample below, the computer system scanned is missing Application Guard, Credential Guard and BitLocker as three protection mechanisms that could be enabled that would immediately increase the threat protection on the platform.

Microsoft

Microsoft Secure Score Dashboard

The console gives an overview of each Windows Enterprise 5 license and its risk level. This is not available to users of Windows Enterprise E3 or Microsoft 365 E3.

Windows Security Center

The Windows Defender Security Center has been renamed to merely Windows Security Center to better identify that it’s the main location for security information. Ransomware protection first introduced in 1709 has been simplified to make it easier to add blocked applications to the interface. Click “Allow an app” through “Controlled folder access.” After the prompt, click the + button and choose “Recently blocked apps” to find the application that has been blocked by the protection. You can then build in an exclusion and add them to the allowed list.

Because time syncing is so key to both authentication as well as being a requirement for obtaining updates, the Windows Time service is now monitored for being in sync with the proper time. Should the system sense that the time sync service is disabled, you will get a prompt to turn the service back on.

A new security providers section exposes all the antivirus, firewall and web protection software that is running on your system. In 1809, Windows 10 requires antivirus to run as a protected process to register. Any antivirus program that has not yet implemented the protected process methodology will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.

Windows Defender Firewall

The firewall in Windows 10 now supports Windows Subsystem for Linux processes. If you are hosting Linux in virtual machines, you can add exceptions in the firewall for Linux processes such as SSH or a web server like Nginx.

Windows Edge

The default browser for Windows 10 now includes more group policy settings. As noted, the new policies let you enable/disable full-screen mode, printing, favorites bar, or saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions.

BitLocker enhancements

Changes have been made to allow BitLocker to be enabled on devices that don’t pass the Hardware Security Test Interface (HSTI). You can also deliver BitLocker policy to AutoPilot devices during Out of box experience process.

Windows Defender Application Guard improvements

If the device supports the settings, Windows Defender Application Guard settings can now be set in the Windows Security interface rather than merely through registry keys. The requirements to enable Application Guard to include having the hardware support Second Level Address Translation (SLAT) and either VT-x (Intel) or AMD-V virtualization extensions for virtualization-based security (VBS).

The new user interface allows end users to review settings their system administrator has made so they understand the behavior that they are seeing. The four settings that can be configured for Application Guard in the Windows Security app are Save data, Copy and paste, Print files and Advanced graphics. These settings impact as follows:

When you browse in Application Guard for Microsoft Edge, certain actions can be disabled. If save data is disabled, users are blocked from saving data while browsing using Application Guard for Microsoft Edge. Turning off copy-and-paste blocks the ability to copy and paste to and from the isolated browser. Disabling print files blocks the ability to print from Edge. Finally, disabling Advanced Graphics improves video and graphics performance with Hyper-V virtualization technology.

To enable these settings, open Windows Security and click on the App & browser control icon. Then click on the “Change Application Guard settings” link under the Isolated browsing section and make the adjustments. Then reboot the computer.